CVE-2019-17634

Name of the Vulnerable Software and Affected Versions Eclipse Memory Analyzer versions 1.9.1 and earlier

Description The issue is related to errors in processing specially crafted HTML requests in the reporting component of the Eclipse Memory Analyzer software for Java application analysis. Exploitation of this issue may allow a remote attacker to execute arbitrary code on the target system. The vulnerability can be triggered when a user generates an HTML report from a malicious heap dump, which could be specially crafted or come from a crafted application or an application processing malicious data. This can occur when a report is generated and opened from the Memory Analyzer graphical user interface or when a report generated in batch mode is then opened in Memory Analyzer or by a web browser.

Recommendations For Eclipse Memory Analyzer versions 1.9.1 and earlier, avoid generating HTML reports from untrusted heap dumps until a fix is available. As a temporary workaround, consider disabling the HTML report generation feature in the Memory Analyzer graphical user interface to minimize the risk of exploitation. Restrict access to the reporting component to prevent potential attacks.